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HTTP Activity is essentially all web-based 
activity from a user’s internet browser (with 
some exceptions) 

It includes, web-surfing, Internet Searching 
(like Google), Mapping Website (Google 
Earth/Maps) etc. 

Most of this data will not contain a strong 
selector like E-mail address 
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HTTP Activity 




HTTP activity comes in two types: 




cnn.com Server 
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How do you know which side you’re looking at? 



Client-to-Server requests are generally small in 
size and are computers talking to other 
computers 



Server-to-Client responses larger and are what 
web-pages look like at home 



So if you’re looking at something that looks like 
a web-page its Server-to-Client 
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HTTP Activity Examples 



7 




Client-to-Server request: 



TOP S EC RE T.'.C 0 MIN T.^O 320 1 0S 





ID: sess ori q proc 


Type: HTTP-GET 


i Printer Friendly Version 






DNI Display 



■ta.JP 



Raw Data DNI Format 



Sec a vices v 



GET /Hezbollah-Teiroiism- Judith-P almer-Harik/dp/1 860648932 HTTP/1. 1 


User- Agent: 


MoflUa.f'5.0 (W indows; U; Windows NT 5. 1, en-US) AppleWebKit/525.19 (IIHIML, like 
Gecko) Chrome/1.0.154.48 Safan/525.19 


Referer 


http : //ww w . go ogle . c cm. pk/s e ar c h?hl=en & q=wr e tt e n b o oks on hizb oil ah&btnG=G o o gle 
Search&meta= 


Accept: 


t e sd/sml, app lie ation/saril, applic ation/Hhtrnl xrnl , texbl itnd, rpO . 9 Te>TVplaiiij:pCi. S .imagelprig, q=Q . 5 


A c c ept -Enc o ding: 


gzip r deflat e 7 b zip 2 , s dch 


Cookie: 


ubid-mam=l S5-5525S 1 6-S76553 1 




apn-user-id=P 1 YXY7QF 1PTJYQ5 


A c c ept -L ariguag e : 


en-USlen 


Accept- Charset: 


ISO-8859- kVtf-3 


Host: 


www. amazon. com 


C c-mection: 


Keep-Alive 
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HTTP Activity Examples 







Server-to-Client Response: 



ID: sess orig proc 


(± Document Information 


ype: HTTP 


iii Printer Friendly Version 



DNI Display 



Raw Data DNI Format 



© HTTP Header Infoimation 


Content Type: HTTP/HTML 


Services s? 









IS 


Barca reinstates 


IS 


Isfahan to 




6 -point lead 




exhibit 




over Real 




expressionist art 




Home Page 
Han 

Middle East 
Iraq 

P alestin e 

Lebanon 

Turkey 

P ersian Gulf 

Others 

US 

Asia/Paemc 

a 

Euro p r 

Americas 

ScLTech 

Health 

CU. j.-i- .-i 






Kuwait government T re signs f over economy 

Mon, 16 Mar 2009 19:07:16 GMT 



The Kuwaiti government has submitted its 
resignation to the county's emir amid a row 
over the premier's handling of the economic 
crisis. 

"The resignation has been submitted formally and 
it's up to the amir (ruler) to decice/ Reuters 
quoted Nasser al-Duwailah, a par iamentarian, as 
saying on Monday. 

The resignation would further delay the approval ot 1.5 billion dinars (UED 5.11 
billion) rescue package which is to be injected to the Persian Gulf natior's 
economy to ease the impact of the global financial crisis, 

The government has not commented on the report. 




Latest News 




Kuwait governr 
economy 



kb 



Childhood diet 
risk 



kb 



kb 
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XKS HTTP Activity Meta-data differs 
greatly depending on which side of traffic 
we’re collecting 

In nearly all cases it’s better to have client- 
to-server traffic 
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HTTP Activity Client-to-Server 





1 









GET ^3earcl»naEi=ur(iu*oi:deE = 3artJ30tJifiqfmu3harra^3t.aEt.=3*3cope=utclu*lirLfe=next.|KrTP/l. 1 
Acceot^ ^7* 

Referer 






Accept-Language^ en-us 
Ac c ep 



r 

jUser -Ag-entl Hozilla/4.Q (compatible; MSIE 6.0; Uindoifs CTT 5.1; SV1) 



Hl 

r< 






i 



Cookie! BBC-UID=b479a5f 4ad230a53063d513630203acb22634634a0e0bl64c45f 96ef c054c£950MoEilla%2f 4%2e0%20%23ct 



Cache-UontEQl: max-stale =u 



Host 

ITiTSTTFTTTB 1 

search.bbc.co.uk 



ri ■ i ■ i hi i ii nail hi in ■ ■■■ 



1 66303702E9A93546 | 




URL Path 


URL Args 



/search 



tab=urdu&order=SQrtbdh&q=musharraf&start=3£scope=urdu&link=next 



Search Terms 



Language 



■ i . i . 




Via 



musharraf 



TfTTrnrrrwwrnTrnTfWTm 



en 



Moiilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 ; SV1 ) 66B08702E9A9B546 



■ m ■■■■ ■ 







Referer 



"2 ! ■ ■ ■ ■ ■ ■ ■ 



fiwmwinwi'iwi r MWWTOwnriTnTyg^^ 



http: //search .bbc .co ,uk/search?tab=urdu&order=sortbath&q=musharraf &start=2&scope=urclu 




. 

' 




BBC-UID=b479a5f4ad230a53063d51 3630203acb22684634a0e0b164c45f98efc054cf950Mozills%2f4%2e0%20%28com 











. 
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HTTP Activity Server-to-Client 






Application Info 


HTTP Type 


Press TV - Kuwait gowmmeiKt ’resigns" over ecoiionty 


response 



ID: ses s _=ni g_ p iqc 



Tvpe H“TP 



^ -rinter F-iencl y Yars cn 



E Document Information 



DHI Display 



Rax _:ata 



DN f crnna: 



> 1 HTTP Header liifcinitilinn 



Ccnten: T^pe: ITTP.'IITM- 



Services s? 




Home Pare 
Ira.-i 

laddie East 
Iraa 

Palestine 
T-rh^jr oti 
Turkey 
Persian julf 
Other: 

HE 

As.a/Pacfx 

A I~T1 \A 

Europe 

;rics.£ 

oci'Tech 

Health 

i .. 



i.i 





— 


Barca reinstates 


— ■. j 


Isfahan to 


is; 












6 point .ead 




eidnibi: 








OTcr Beal 




cx-orcs sicras: art 



0 



L n < e p t Nenre 

Ivmvalt govciiunfikt T rc signs 1 oyer economy 

Mor., 16 Mar £009 :S 07 \S C-M T 



TTic Kuwaiti qcvcrnmcnt has submitted its 
rnsiijiiril ii in In I li h iiiunlyY Hrnir riniiiJ ri nivj 
□verthc premier's handling of the economic 
nrlsk. 



"The resignation has teen SLbrrit:ed formal^ and 
t's up tc toe errir (ruler} :o decide," 3eu:e-s 
qLoted \assar al-Uuwailah. a parliamentarian, as 
saying on Monday 



The resignation xould further delay toe approval of L5 oillicn dinars (USD 5 1 L 
pillion} rescue pac<age ■■vhich is to oe injected to the Persian Zu\t nation's 
dLuruny Lj yase Jia irripaul uf .ha jlucal "ir druid crisis. 

TMh ij ivhi rnriHi il li^'- rm i :i irinriHnl hi I i in 1 1 — ■ r H[ nrl. 



T?i AU^ll ucvuttit 



economy 
( H nh 111 o : )( : dir. 



risk 

Tl'ln-'R ussiHT :jh 



shield rem' 





.TiLcly.-.:-: Vu^tiI M 




c oros cat? d 


[j? 


La ad er -card on: 




Ancient h o ok r 


p 


L.cbe.or.an eve: 




ally 



Ils? llr.tallicrenT r: 



re on 
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HTTP Activity 



HTTP Types 



w 




Meta-data will also tell you which side of 
traffic you’re looking at 

Client-to-server has two main types: 



HTTP Type 




HTTP Type 




Server-to-client has only one: 

HTTP Type 

response 
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HTTP Activity - Get vs Post 



r 



A ‘GET’ is you requesting data from the 
server (most web surfing) 

A ‘POST’ is you sending data to the server 
(i.e. signing in, filling out a form, uploading 
a file etc.) 
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XKS SIGDEV: HTTP Traffic 




Exam^l®: Lefts look for nil AraCsie font (Heogle 
queries sooiraing] ®ut ®f th® tribal areas ®f 
Pakistan 



Inf®rmcfjtion needed] is contained in HTTP 

^stiwit^ [meta-Elata 



.r 

Host 


■ 

:luec j y mig rap ip*: 


31 


WWW.lJi 


[Lifetime: 2008-1 2-29 07: 21 : 42 (+/-) 


3 — 


hours 



Fm Country (IP) Fm 
PK BA 








OK 



Cancel 



■a -a 









m 



is.taniVVLL.PTCL 
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XKS SIGDEV: HTTP Traffic 



If £ 







TS4 



USERID PHONE USER A 



ACTIVITY USER B 



20081119 074259Z 



20081119 074259Z 



20081119 074304Z 



20081119 0743 16Z 



20081119 0743 16Z 



20081119 Mill 




<emailAddr> logged in (email) 1 1 6. 



<emailAddr> logged in (email) 116. 



<emailAddr> logged in (email) 116. 



<emailAddr> logged in (email) 116. 



<ernailAddr> logged in (email) 116. 



<emailAddr> logged in (em;^ 116. 





START TIME 



STOP TIME 



DURATION CALL DONE IP ADDRESS 



1 rSERLD 



20081119 073141Z 20081119 092841Z Od 01:57:00 TJNK 



20081119 074357Z 



20081119 074357Z 



20081119 074357Z 



20081119 074357Z 



20081119 074358Z 



20081119 074358Z 



20081119 074358Z 



20081119 074358Z 







< e rn ailA d-:ir > lo gg e d in (email) 115. 



< e rn ailA ddr > lo gg e d in (email) 116. 



<emailAddr> logged in (email) 115. 



< e rn ailA ddr > lo gg e d in (email) 116. 



< e rn ailA ddr > lo gg e d in (email) 116. 



:emajJAddr> logged in (email) 116. 



< e rn ajJA ddr > lo gg e d in (email) 115. 



< e rn ajJA ddr > lo gg e d in (email) 116. 



20081119 flllfl 



:eniajJAddr> logged in (email) 116. 
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FHOKE MAC ADD 
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XKS SIGDEV: HTTP Traffic 



r " 




Now make that into a workflo w 

X- KEYS CORE E MAILER ! 



QUERY NAME: ¥as_NMFP_For iegn_Goo glers 
current time: 2008-11-20 07 : 15 : 15 GHT 
submitted at: 2008-11-20 03 : 55 : 03 GHT 
has 14 result (s] 



SEARCHES 



•wtttj- google . com 




2 008 
2 008 
2008 
2 008 
2 008 
2008 
2 008 
2008 
2008 
2008 
2008 
2008 
2008 
2 008 



11 

11 

11 

11 

11 

11 

11 

11 

11 

11 

11 

11 

11 

11 



19 


18 


: 54 


: 2 □ 


19 


07 


: 3 6 


: 49 


19 


07 


: 3 7 


: 07 


19 


08 


: 03 


: 17 


19 


08 


: 05 


: 51 


19 


08 


: 0 6 


: 52 


19 


15 


: 0 1 


: 00 


19 


15 


lH 

■ ■ 


: 13 


19 


15 


: 3 3 


: 19 


19 


04 


: 2 4 


: 44 


19 


04 


■ ■ 


: 59 


19 


04 


: 2 9 


: 2 9 


19 


04 


: 3 0 


: 04 


19 


04 


: 3 1 


: 51 



al qaida (en, en-GB) (1) 

The al-Ihhlas network (cybertrans from Arabic) Cl] 

(referer) the al-Ikhlas network [cybertrans from Arabic] (3) 

Forum bride/ 1 Au us (cybertrans from Arabic) (1) 

For urn love/ gram ( c yb e r t r ans from Ar ab i c ) [ 1 ) 

[referer] forum love /gram [cybertrans from Arabic] (1) 

The hills jihadist ■without inflicting [cybertrans from Arabic] (10) 
(referer] the hills jihadist without inflicting (cybertrans from Arabic) 
Uaziristan [cybertrans from Arabic) (1] 

Scandals (cybertrans from Arabic] (2) 

(referer) scandals (cybertrans from Arabic) [1) 

News [cybertrans from Arabic) (1) 

Forum soil [cybertrans from Arabic) (1) 

(referer] forum soil (cybertrans from Arabic] (1) 



■ , dl iu ■ 



Workflow ValiiS 



W □ o ',-v 



( 6 ) 
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Many targets use Free File Sharing 
Websites to pass messages. 



Example we may see a message like this: 

From: badguy@yahoo.com 

To: someotherbadguy@yahoo.com 

Hey dude check out this file: 

http://www.sendspace.com/file/1gojft 

Lets use X-KEYSCORE to find who else 
might have viewed that file 
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XKS breaks up URL’s into their components: 

http : //ww^joo2!^com/seai^?jTNa^ili^&2^tg^ 

www.google.com is the ‘host’ 

aka everything between the http:// and the 

firstteearch is the ‘url path’ everything after 

www.blah.com and before the ? 
hl=ar&lr=&q=terrorism&start=10&sa=N 

is the ‘url argument’ aka everything after the ? 
terrorism is the ‘search term’ 
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XKS SIGDEV: HTTP Traffic 




croCDH 

4 . 




EX: Targets pass links to videos, use XKS to discover 
new targets who have viewed those videos 



n HB 00215-09, he promises that the newest video will be ready very soon, and then sends these two links: 

http://www.load.to/ 
http://wvw.files.to/Qe 




Datetime: 



Z Weeks 


1 


Start: 


2008-12-23 


□ 




00:00 


ejja 


Stop: 


2009-01-06 


n 




23:59 





m 



HTTP Type: 



Host: 



URL Path: 



www file s.to 




TOPSECRETWCOMINT//RELTO USA, AUS, CAN, GBR, NZL 












TOP SECRET//COMINT//RELTO USA, AUS T CAN, GBR, NZL 



XKS SIGDEV: HTTP Traffic 



If c 




CroCDH 

a. 




Datet 



TS A 

20081231 224606Z 
20081231 224949Z 
20081231 224949Z 
20081231 224949Z 
20081231 224952Z 
20081231 224952Z 
20081231 224952Z 
20081231 2250 18Z 
20081231 22502 1Z 



IJSFRID PHONE USER A 



ACTIVITY 



USER E 




emailAddr> logged in (email) 59 
<emailAddr> logged in (email) 59 
<emailAddr> logged in (email) 59. 
^emailAddr^ logged in (email) 59 
^emaiJAddi'> logged in (email) 59 
<emailAddr> logged in (email) 59 
<emaiJAddr> logged in (email) 59. 



emaiJAddr> logged in (email) 59. 
emailAddr> logged in (email) 59. 
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■ (TS//SI//OC/REL TO USA, AUS, CAN, GBR, NZL) During 
nis Internet session, 'Atiyah queried on himself, r 8haykh 
'Atiyatallah," and on the name "Khalid al-Habib." 
(3/00/7878-08) 

■ (TS//SI//OC/REL TO USA, AUS, CAN, GBR, NZL) During 
his session on 16 September, 'Atiyah used a U.S. search 
engine to search for information on himself and a possible 
associate. Atiyah submitted Arabic queries for an alias of 
his, '"Atiyahtallah", and his real name, "Jamal Ibrahim 
Ishtaywi". 'Atiyah also queried for "A Revealing View." 
(COMMENT: This is likely a reference to the book he 
recently wrote entitled "Lebanese Hezballah and the 
Palestinian Issue - A Revealing View.") ’Atiyah also 
queried for ’"AM 'Iwad al-Harabi" (no further information). 

On 17 September, ‘Atiyah searched aqain on the title of his 
book. (3/00/7151-08) 






■ (TS//SI//OC/REL TO USA, AUS f CAN, GBR, NZL) During the 

1 035Z to 1 143Z online activity, 'Atiyah down-loaded the VoIP 
application Skype to his private computer. During an earlier 
online session from approximately 0902Z to G93SZ, either 
'Atiyah or his wife, Jamila, also down-loaded Skype onto her 
private computer. (3/00/10570-07) 

■ (TS//SI//OC/REL TO USA, AUS, CAN, GBR, NZL) Although 
much of 'Atiyah's online activity is communication, he is also 
a "news hound,” While located in Sanandaj, 'Atiyah daily 
visited several online international news sites, such as 
Qatar-registered al-Jazeera news website, and Arabic 
language versions of U.S.-based and U.K.-based news 
organizations. Also, 'Atiyah frequently visits religious sites, 
such as the Saudi Arabia-registered islamtoday.net 
(3/00/21045-07) 
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